Guidelines for financial services firms are set to be issued at European level
Guidelines which it is hoped will assist financial services firms in complying with their obligations under the Fourth Anti-Money Laundering Directive (Directive (EU) 2014/859) (AMLD4) are to be issued by the European Supervisory Authorities (the ESAs).
The ESAs comprise the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA).
Those businesses which have obligations under AMLD4 are known as Obliged Entities. Two categories of Obliged Entity are particularly susceptible to being used for money laundering (ML) and terrorist financing (TF) - credit and financial institutions (Firms). AMLD4 mandates the Joint Committee to issue guidelines to assist Firms and national competent authorities with applying the risk-based approach to anti-money laundering (AML) and counter-terrorist financing (CFT)
In October 2015, the Joint Committee of the ESAs issued two consultation papers:
- Draft guidelines addressed to credit and financial institutions on the risk factors to be taken into consideration and/or the measures to be taken in situations where simplified Customer Due Diligence (SCDD) and enhanced Customer Due Diligence (ECDD) are appropriate; and
- Draft guidelines addressed to national competent authorities on the characteristics of a risk-based approach to AML and CFT supervision and the steps to be taken when conducting supervision on a risk-sensitive basis.
(together, the Guidelines)
The consultation period for the proposed Guidelines closed on 22 January 2016. Subject to the results of the consultation process, the Guidelines are due to be adopted in the spring of 2016 and should therefore be ready in advance of the implementation of AMLD4 into the national laws of all EU Member States. Currently, AMLD4 is due to be transposed by 26 June 2017 but the European Commission has recently proposed that the implementation date for AMLD4 be brought forward to Quarter 4 of 2016.
In accordance with the legislation under which the ESAs were established, national competent authorities and Firms must make every effort to comply with the Guidelines once they are finalised and adopted by the ESAs.
In this briefing, we focus on the Guidelines addressed to Firms, and examine;
- the background to the proposed Guidelines;
- the changes introduced by AMLD4;
- the structure of the Guidelines;
- the current lack of official, approved AML/CFT guidance in Ireland for 'Designated Persons' (which term has been replaced with the term 'Obliged Entities' under the new AMLD4 regime).
AMLD4 updates existing EU AML and CFT laws to bring them in line with the revised standards issued in 2012 by the Financial Action Task Force (FATF), the international AML and CFT standard-setter. A key feature of AMLD4 is the emphasis it places on applying a risk-based approach in the fight against ML and TF.
The risk-based approach recognises that ML and TF risk varies from one Obliged Entity to another. Obliged Entities must make a bespoke assessment of the ML and TF risks applicable to their particular business, and also to the ML and TF risks posed by individual customers and transactions. The risk assessment will then dictate the steps that an Obliged Entity should take to manage the risks identified, including the type of 'know your customer' or customer due diligence (CDD) measures it should carry out. Obliged Entities are always required to apply CDD measures but may determine the extent of those measures on a risk-sensitive basis.
The annexes to AMLD4 set out lists of factors which an Obliged Entity should consider as indicating potentially lower risk or higher risk of ML and TF. However, these lists are not exhaustive so further guidance for Obliged Entities, particularly for Firms, is necessary.
The risk-based approach under AMLD4
The risk-based approach introduced in the Third Money Laundering Directive (AMLD3) has been refined under AMLD4 and will apply to Obliged Entities and the national competent authorities responsible for policing those Obliged Entities' compliance with AML and CFT rules.
It is hoped that AMLD4's renewed emphasis on the risk-based approach will bring about a change in mind-set in relation to AML/CFT and force Obliged Entities to engage more fully with their AML/CFT obligations by putting the onus on them to assess the ML and TF risks faced by their business.
Legislators want to ensure that the AML/CFT regime in the EU is effective in terms of outcomes (i.e. stopping and preventing ML and TF), rather than one in which Obliged Entities apply AML and CFT measures without due regard to risk, viewing those measures as no more than a “paper gathering exercise”.
Changes to CDD under AMLD4
AMLD4 introduces a number of changes to the CDD requirements in the existing AMLD3 regime, including;
- the removal of the entitlement to automatically apply SCDD in certain circumstances (known in Ireland as the 'Specified Customer' and 'Specified Product' exemptions). Under AMLD4, Obliged Entities must always conduct a risk assessment before applying SCDD.The criteria which would previously have automatically justified an SCDD approach (such as a customer being an appropriately authorised EU financial institution) will now be no more than one factor in deciding, on a risk- assessedbasis, whether it is appropriate to apply SCDD.
- the abolition of the current third-country equivalence regime, under which Designated Persons are permitted to automatically apply SCDD in relation to certain customers or transactions originating in non-EU jurisdictions which are regarded as having AML/CFT regimes equivalent to those in the EU.
Under AMLD4 Obliged Entities must always assess the risk posed by doing business with non-EU jurisdictions. In doing so, the Guidelines set out a number of factors which Firms should take into account, including whether the country is a member of FATF or a FATF-style regional body, and whether there is information from more than one credible source about the quality of that jurisdiction's AML/CFT controls.
The Guidelines are structured in two parts.
1. Assessing and managing risk - general part (Title II)
This part outlines how a Firm's assessment of the risk posed by a customer or transaction should start with a consideration of the Firm's overall business-wide risk assessment, which should then be set alongside the initial CDD carried out in relation to the particular customer or transaction. Title II sets out more than forty generic risk factors which Firms should consider in its assessment, under the categories of: customer risk; country/geographic risk; product, service and transaction risk; and delivery channel risk.
The Guidelines make clear that risk assessments consist of two distinct but related steps:
- the identification of ML/TF risk; and
- the assessment of the ML/TF risk identified.
The Guidelines set out how Firms should weigh the risks identified, including that risk weightings should not be unduly influenced by just one factor, and that Firms may override automatically generated risk scores but should document the rationale for doing so.
2. Sector-specific guidelines (Title III)
The generic guidance applicable to all Firms in Title II is complemented by the sector-specific guidance in Title III which sets out further risk factors of relevance to the following business sectors:
- Correspondent banks;
- Retail banks;
- Electronic money issuers;
- Money Remitters;
- Wealth management;
- Trade finance providers;
- Life Insurance undertakings;
- Investment Managers; and
- Providers of Investment Funds.
AML/CFT Guidance currently available to Obliged Entities in Ireland
The Criminal Justice Act 2010 (as amended) (the Act) sets out the statutory AML and CFT obligations applicable to Designated Persons but contains little or no detail on how those Designated Persons can ensure practical compliance. This is perhaps a natural consequence of the how the Act was drafted, in that the Act seeks to set generic requirements for a variety of Designated Persons operating in a range of different sectors.
The desirability of guidelines to elaborate on the Act's provisions was recognised in the Act itself, Section 107 of which provides that the Minister for Justice and Equality may approve guidelines, in consultation with the Minister for Finance, for the purpose of guiding Designated Persons on the application of Part 4 of the Act. In proceedings against a Designated Person for offences under the Act, Section 107 states that it would be a defence for that Designated Person to prove that they took all reasonable steps and exercised all due diligence, in line with guidelines approved under Section 107, to avoid committing an offence. In determining whether a Designated Person has established such a defence, a court may have regard to whether a Designated Person has complied with such guidelines.
No guidelines have been approved under Section 107 of the Act to date. Although the Department of Finance issued guidelines in February 2012 for Designated Persons operating in the financial services sector (the Department of Finance Guidance), which was supplemented by sectoral guidance in the banking, investment funds, stockbrokers, insurance, credit union and bureaux-de-change sectors, none of these were ever approved in the manner contemplated by Section 107.
From a regulatory viewpoint, the Central Bank of Ireland (the Central Bank) has regard to the Department of Finance Guidance when assessing compliance by Designated Persons with their AML/CFT obligations. However, Designated Persons have no guarantee that following the Department of Finance Guidance will offer them any defence in the event of a prosecution under the Act.
Arguably, the absence of approved AML/CFT guidelines under Section 107 of the Act has meant that Designated Persons have never had a firm footing in putting together a set of robust AML/CFT policies and procedures aimed at ensuring compliance with the Act, in particular how to properly assess ML and TF risk associated with particular customers or transactions. This unfortunately has led to differing standards of AML/CFT compliance measures across the financial services sector. The Central Bank published three separate reviews during 2015 on AML and CFT compliance in the Irish banking, credit union, and investment funds sectors. In each case, the Central Bank found deficiencies in the way in which Designated Persons in those sectors comply with their AML and CFT obligations, and highlighted a number of inadequate practices around risk assessments.
In the Central Bank's report on AML/CFT compliance in the banking sector, the Central Bank found that customer risk assessments are often based on subjective questions and are consequently prone to inconsistency in application.
While Designated Persons in Ireland have been operating without detailed AML/CFT guidance, in the UK, Obliged Entities have had the benefit of AML/CFT guidelines issued by the Joint Money Laundering Steering Group and approved by the UK Treasury.
The International Monetary Fund, in its report issued in May 2014 on the Observance of Standards and Codes in Ireland, in the banking and securities markets sectors, recommended that statutory AML/CFT guidelines be issued.
The Department of Finance Guidance and the supplemental sectoral guidelines will continue to be of relevance to Obliged Entities as they are wider in scope than the Guidelines; they also provide guidance on how to comply with AML/CFT requirements around recordkeeping, staff training and the reporting of suspicious transactions. The Department of Finance Guidance and supplemental sectoral guidelines will, however, need to be updated to reflect the requirements of AMLD4. It is hoped that the Department of Finance, the Central Bank and industry can come together at the earliest available opportunity to discuss the implications of AMLD4 and to finalise appropriate and practical guidelines for Obliged Entities in the financial services sector. This would avoid the delays experienced in the issuance of similar guidance following the transposition AMLD3 into Irish law.
In that regard the early engagement by the ESAs in publishing the Guidelines for consultation is to be welcomed and has highlighted the need to start the conversation in Ireland on the implementation of AMLD4.
AMLD4's focus on the risk-based approach makes it crucial that Obliged Entities are able to adequately assess the ML and TF risk presented by customers and occasional transactions in order to determine the type of CDD measures they should employ in response.
It remains to be seen whether the Guidelines will represent an adequate guide for Firms in assessing ML and TF risk and applying CDD. The Guidelines themselves state that the risk factors it sets out are not exhaustive. However, the Guidelines do provide a level of detail which is absent in the guidance currently available to Firms in Ireland and should therefore promote consistent implementation of AMLD4's risk-based approach.